Interesting coincidences. Part two.
After reading the topic about the suspicious implementation of the Jabber protocol in the Mail.ru Agent application, as well as the comments from Swappp and naum about the interesting lines in the module, I decided to check what was inside.
After spending half an hour searching for utilities and downloading Mail.ru Agent binaries, I got a listing with a list of some of the lines that are present inside the JABBER_0X2001FACA.DLL file. For the convenience of the reader, unfamiliar with the jabber code of the module from Miranda IM, I’ll give a comparison of the found lines with our sources:
As we can see, almost all lines (except the last) are debugging information and are included either in functions for working with XML or in the process of connecting to the XMPP network. I can see that the rest of the jabber is heavily tied to the windows interface and / or the architecture of the Miranda itself.
Also, it may be interesting to use single quotes ['] in the XML stream, which took place in the 0.7 jabber branch of the module from the Miranda (in the 0.8 branch, double quotes ["] are used, and they are subjectively more popular).
I am not a connoisseur of the insides of binary modules for SymbianOS, but in the list of strings I also came across the names of the classes used in our code to support different login methods. Judging by the presence of similar strings with “classy” content and a number at the beginning, such strings will be generated for most classes. I draw attention to the inconsistency of the use of the register of letters in the abbreviations MD5 and NTLM.
By the way, I wonder how appropriate NTLM authorization is on the mobile phone :) ( Update: they say it is appropriate and, if desired, the hash can be calculated manually, well, that's not the point)
')
In the context of what has been seen, the comment about “yes what can be taken from Miranda” sounds interesting.
Here it is mentioned two components of the protocol that are in doubt and the well-known modular architecture of Miranda IM. About the rest of the protocol - not a word :)
I do not know if our code is inside the Mobile Agent, or if it is not there - the authors of the Agent themselves can definitely say. The above facts were collected exclusively from open sources for general familiarization with the situation. My knowledge of analyzing SymbianOS binary modules is rather poor, and it would be interesting to hear comments from Swappp and naum , especially in the light of this replica .
PS At the moment, the beta versions of the Agent have been removed from the Mail.Ru site, and they are also being removed from other sites. Users who installed version 1.15 on the phone are automatically “updated” to the older version 1.11.
After spending half an hour searching for utilities and downloading Mail.ru Agent binaries, I got a listing with a list of some of the lines that are present inside the JABBER_0X2001FACA.DLL file. For the convenience of the reader, unfamiliar with the jabber code of the module from Miranda IM, I’ll give a comparison of the found lines with our sources:
| XML processing (logging) | ||
|---|---|---|
| 00032C7C | TAG_MAX_LEN too small, ignore current tag | jabber_xml.cpp (192) |
| 00032CA8 | ATTR_MAX_LEN too small, ignore current tag | jabber_xml.cpp (214) |
| 00032CE0 | XML: skip <? Xml> tag | jabber_xml.cpp (343) |
| 00032CF8 | XML: Closing </% s> without opening tag | jabber_xml.cpp (419) |
| Base stanza processing (logging) | ||
| 0002C464 | Invalid top-level tag (only <message /> <presence /> and <iq /> allowed) | jabber_thread.cpp (889) |
| 0002C4AC | Invalid top-level tag (only <iq /> allowed) | jabber_thread.cpp (895) |
| Login process (logging) | ||
| 0002C6A8 | Requesting TLS | jabber_thread.cpp (667) |
| 0002C7D8 | after successful sasl | jabber_thread.cpp (831) |
| 0002C8AC | <iq /> iqIdGetBookmarks | jabber_iqid.cpp (1456) |
| 0002C968 | <iq /> iqIdGetVcard | jabber_iqid.cpp (731) |
| 0002CA8C | <iq /> iqIdGetRoster | jabber_iqid.cpp (351) |
| 0002E998 | Never publish the hash below | jabber_secur.cpp (191) |
| Login process (data) | ||
| 0002E900 | username = \ "% s \", realm = \ "% s \", nonce = \ "% s \", cnonce = \ "% s \", nc =% 08d, qop = auth, digest-uri = \ "xmpp /% s \", charset = utf-8, response =% 08x% 08x% 08x% 08x | jabber_secur.cpp (156) |
As we can see, almost all lines (except the last) are debugging information and are included either in functions for working with XML or in the process of connecting to the XMPP network. I can see that the rest of the jabber is heavily tied to the windows interface and / or the architecture of the Miranda itself.
Also, it may be interesting to use single quotes ['] in the XML stream, which took place in the 0.7 jabber branch of the module from the Miranda (in the 0.8 branch, double quotes ["] are used, and they are subjectively more popular).
I am not a connoisseur of the insides of binary modules for SymbianOS, but in the list of strings I also came across the names of the classes used in our code to support different login methods. Judging by the presence of similar strings with “classy” content and a number at the beginning, such strings will be generated for most classes. I draw attention to the inconsistency of the use of the register of letters in the abbreviations MD5 and NTLM.
| Class names | |
|---|---|
| 0002EA18 | 11TJabberAuth |
| 0002EA30 | 10TPlainAuth |
| 0002EA4C | 8TMD5Auth |
| 0002EA64 | 9TNtlmAuth |
By the way, I wonder how appropriate NTLM authorization is on the mobile phone :) ( Update: they say it is appropriate and, if desired, the hash can be calculated manually, well, that's not the point)
')
In the context of what has been seen, the comment about “yes what can be taken from Miranda” sounds interesting.
It is very interesting to me, what exactly in the implementation of xmpp would be useful to “steal” from Miranda? Can the connection sequence? Yes, like it is described in open sources, moreover, in detail. Maybe xml-parser? And why did he need us, we already had it and used it. Can plugin structure? why do we need it - we have our own.
Here it is mentioned two components of the protocol that are in doubt and the well-known modular architecture of Miranda IM. About the rest of the protocol - not a word :)
I do not know if our code is inside the Mobile Agent, or if it is not there - the authors of the Agent themselves can definitely say. The above facts were collected exclusively from open sources for general familiarization with the situation. My knowledge of analyzing SymbianOS binary modules is rather poor, and it would be interesting to hear comments from Swappp and naum , especially in the light of this replica .
PS At the moment, the beta versions of the Agent have been removed from the Mail.Ru site, and they are also being removed from other sites. Users who installed version 1.15 on the phone are automatically “updated” to the older version 1.11.
Source: https://habr.com/ru/post/51259/
All Articles